Share this with your connections:
How Safe is Your Data? Four Questions to Ask About Data Securityâ€œAn epic year for data breachesâ€ is how one data security industry publication described 2013, citing examples like the well-chronicled breaches at TargetÂ® and AdobeÂ® (American Banker, Naked Security, February 19, 2014). The residual effect: Any industry handling sensitive consumer records took a fresh look at its practices. Likewise, regulators updated their rules about the security practices of third-party vendors.
As reported in the American Banker, the updated rules â€œrequire banks to step up their oversight of third-party vendors deemed crucial to their operations. Banks need to risk-score such vendors, conduct on-site visits, monitor them, and be extremely thorough in drafting contracts and service level agreementsâ€ (American Banker Bank Technology News, New Rules Force Banks to Decide Which Vendors are â€˜Critical,â€™ May 2, 2014).
Amidst rising data security concerns, banks and credit unions are re-examining the risks associated with their check program providers. â€œNo doubt, thereâ€™s a heightened awareness of fraud generally and a new sensitivity to unauthorized access of sensitive consumer data,â€ said Joe Filer, Harland Clarkeâ€™s VP and Chief Information Security Officer. â€œWe hear about it from our clients.â€
Banks and credit unions can protect themselves by fully vetting check suppliers and explicitly enumerating vendor data security responsibilities. â€œHistorically, that has been accomplished through a good security requirement and clear expectations in the contract language,â€ Filer explained.
When evaluating check suppliers, financial institutions should consider a range of security issues and ask these key questions.
1. Does the supplier have an industry proven, comprehensive information security control framework?
An industry proven, comprehensive framework is an excellent indicator that the supplier has the controls in place to meet compliance requirements. A good security control framework can include activities like an in-house security program, physical security practices and policies, and Red Flag FACTA solutions. â€œWe subscribe to ISO 27002, which is an established industry standard that outlines hundreds of potential control mechanisms,â€ said Filer.
2. Does your supplier have ongoing maintenance and evaluation of the effectiveness of their security framework?
Having a framework is only one step in delivering an effective data security program. Ask your supplier if they also have ongoing activities to maintain the effectiveness of their program. â€œContinuous attention to the security framework is essential. It is one area where you might see differences in terms of a vendorâ€™s level of commitment,â€ said Filer. Security testing, vulnerability analysis and annual disaster recovery testing demonstrate a continuing commitment to security framework cogency.
3. Does your supplier provide you with information and tools to help withverification and validation of the protection of sensitive consumer data?
With increasing regulatory attention on data security, financial institutions are expected to perform oversight of suppliers who handle sensitive consumer information. You should expect your supplier to provide you with documentation that demonstrates they are in compliance with the regulations related to the management of non-public information. Some actions that demonstrate compliance are completion of self-assessment surveys, annual privacy statements, Payment Card Industry (PCI) compliance and independent enterprise certification (e.g., Service Organization Controls 1 and 2). â€œWe understand how important it is to have visibility into the completeness of a data security program, so we provide our clients with a comprehensive package of compliance documents that makes validation much more effective and efficient,â€ said Filer.
4. Does your supplier provide a structured oversight program for service provider relationships where sensitive consumer data is used?
Office of the Comptroller of the Currency guidance speaks to the fact that the financial institutionâ€™s protection should extend throughout the supply chain. This has made it even more important that your suppliers have a structured oversight program with their own supply network. A supplier with a solid program will have a risk management program that classifies its vendors and monitors their data security programs. Annual control framework assessments, with periodic onsite visits, are hallmarks of a strong oversight program. The program should also include a documented summary risk assessment on any vendor that handles your account holdersâ€™ sensitive data. â€œIf thereâ€™s one change in the compliance landscape, itâ€™s that some financial institutions are now more â€˜checklist oriented,â€™â€ said Filer. The checklist approach, however, doesnâ€™t always reveal the greatest security value. Whatâ€™s most important when valuating a check program supplier? â€œFind a vendor that can prove the efficacy of its controls and advocates for your institution,â€ Filer advised.
Â© 2014 Harland Clarke Corp. All marks are the property of their respective owners. All rights reserved.